викMost high end IBM hardware comes with a RMM (Remote Management Module) if you ever hope to manage the equipment from a location other than right in front of the machine. Managing the local accounts on the system is painful at best, and a more secure method is to integrate in to an already existing LDAP or Active Directory environment to provide single-sign-on access.
To do this within the RMM:
Log in to the management module’s interface using an administrative account.
Expand “MM Control”
Select “Network Protocols”
Click on “Lightweight Directory Access Protocol (LDAP)”
Click “Use LDAP Servers for Authentication Only (with local authorization)”. Select “OK” at the pop-up warning.
Click “Use Pre-Configured Servers” and enter in the IP addresses of your domain controllers (port 389)
Under “Miscellaneous Parameters”:
Enter your Root DN. For example, dc=mylocaldomain,dc=com
Select “w/ Login Credentials”
Click “Save”
Under “MM Controls”, click on “Login Profiles”
Click “Group Profiles”
Click “Add a Group”
Enter in an Active Directory group name in to the “Group ID” field. For example, “Domain Admins”
Under “Role”, select “Custom”
Move all “Unassigned Roles” to “Assigned Roles” by clicking on each role.
Make sure the same is done for the “Assigned Scope”
Just in time for Halloween (ok, a few days late).. Super Scary details that can be obtained from some of these spyware software applications that install discretely on smart phones. Investigating in to a potential security breech, it was a huge eye opener to discover that these applications silently gather a multitude of information off of the smart phone and upload them to a remote server for viewing at a later date by the offending party.
It should be noted that this type of software is falls under federal wire-tapping regulations and, for civilians, it carries a felony charge regardless of the relation to the individual being tapped.
The belief was that the iPhone, due to the regulation and control of the OS and applications, was immune. However, it, as can be seen a href=http://www.squidoo.com/iphonespyhere/a, it is just as vulnerable as all of the other phones out there. These software packages have the ability to grab all SMS, MMS, e-mail, and more, all in the background, regardless if they have been deleted or not. They use the GPS to track the movements of the phone, and upload that information to a remote server where the individual who is monitoring the phone gets all of this displayed on a highly detailed map.
While these software packages are sold under the guise of exposing a spouse, the issue not covered is the raw data on the phone. Aside from a wire-tap violation, many smart phone users have access to company proprietary information (HIPAA, PHI, etc) that is not meant for the wilds of the internet. Once that information is captured and sent off to some remote server, no one knows what is being done with that data.
The real question is: how to detect this kind of software on work issued phones or personal phones with work related access. Users are the weak point in the security chain. User education is perhaps more important now than before as cellular phones penetrate further in to the work place.
Recovery is performed by updating, specifically on the iPhone, to the latest iOS. All of those packages rely on a jailbroken phone, and the Apple iOS is obviously not jailbroken out of the box.
Even the latest versions of Samba via yum updates has troubles talking to Windows 2008 Domain Controllers. A partial solution was found here.
Upon an upgrade to the AD environment, winbind starts throwing errors like the one below:
Aug 16 16:20:38 ourhost winbindd[2459]: rpc_api_pipe: Remote machine OURDOMAINCONTROLLER.ourdomain.com pipe \NETLOGON fnum 0x800areturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
After the upgrade to Samba / winbind, squid started throwing the following authentication errors:
Aug 16 16:39:58 ourhost (ntlm_auth): Login for user [ourdomain\[username]@[DESKTOPHOST] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly.]
In the end, it turns out that the latest Samba installation resolves this problem: